August 7, 2024 at 11:35AM
Threat actors are actively exploiting a critical remote code execution (RCE) vulnerability, CVE-2024-4885, in Progress WhatsUp Gold 23.1.2 and older versions. Proof-of-concept (PoC) exploits are available, and the attacks started on August 1, 2024, from six distinct IP addresses. Users are urged to upgrade to version 23.1.3 or implement firewall restrictions to protect against these attacks.
Based on the meeting notes, it is clear that there is an active exploitation of a critical-severity vulnerability, CVE-2024-4885, in Progress WhatsUp Gold 23.1.2 and older. The exploit allows unauthenticated attackers to execute commands with elevated privileges. Proof-of-concept exploits are publicly available, and the attempts to exploit the vulnerability have been observed from six distinct IP addresses starting from August 1, 2024.
Progress has released a security bulletin urging users to upgrade to the latest version, 23.1.3, to resolve the vulnerabilities. For those unable to upgrade, the vendor recommends monitoring exploitation attempts at the’/NmAPI/RecurringReport’ endpoint and implementing firewall rules to restrict access to trusted IP addresses on specific ports.
Additionally, security researcher Sina Kheirkhah has published a detailed technical write-up on the exploit, which involves sending a specially crafted request to the WhatsUp Gold reporting endpoint to ultimately cause remote code execution.
Given the active exploitation status, it is crucial for WhatsUp Gold admins to apply the latest security updates or mitigations and continue monitoring for suspicious activity. It is also recommended to place the WhatsUp Gold server behind a firewall and make it accessible only internally or by trusted IP addresses to mitigate the risk.